I recently created a SAML 2.0 Service Provider using PHP. I used the AuthnRequest Protocol with HTTP-POST binding. This was done to help me understand the basic SAML 2.0 exchanges between a Service Provider and an Identity Provider.
Here is an exhaustive analysis of my Service Provider logs that I created.
The service provider that I created had the url of: http://saml20.abilityweb.us
I have a user created on the SSO Circle Identity Provider. I added my test Service Provider to my SSO Circle account as an authorized service provider. During that process I uploaded the following meta data to the SSO Circle Identity Provider for my PHP Service Provider:
1 2 3 4 5 6 7 | <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://saml20sp.abilityweb.us"> <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://saml20sp.abilityweb.us/spdbg/sp_logout.php" /> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat> <AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://saml20sp.abilityweb.us/spdbg/sp.php"/> </SPSSODescriptor> </EntityDescriptor> |
I chose to use the HTTP-POST binding along with the AuthnRequest Protocol for SAML Authentication
My url that is supposed to process the response to my AuthnRequest is: http://saml20sp.abilityweb.us/spdbg/home.php
My AuthnRequest that was generated by the test Service Provider I created looked like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="4b8cd0a2e0f4ce3932a5e5b7bada22f7d73b7ed5ec" Version="2.0" IssueInstant="2010-04-08T13:44:41Z" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://saml20sp.abilityweb.us/spdbg/sp.php"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://saml20sp.abilityweb.us </saml:Issuer> <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="http://saml20sp.abilityweb.us" AllowCreate="true"> </samlp:NameIDPolicy> <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact"> <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </samlp:RequestedAuthnContext> </samlp:AuthnRequest> |
The request is then DEFLATED:
1 2 3 | ùS—nõ0}ÔW ø'BîŒ HYâ„¢ië∫ç%¨{3Ê“X2∂ÃköÙÔgâ€Â¥Ã£Â¥Ã¤Jy··r8˜‹s+dù4t›ªÉâ„¡ü–E—©ì È&'ΩUT3HÃŽ |
Then it is encoded in Base64 encoding and also URL encoded:
1 | nVPRbpswFH3vVyC%2FJxBClM4KSFmqaZG6jSWsD3sz5tJYMrbna5r072fTtIu0ikp54eFyOPfccw4rZJ00dN27g9rBnx7QRdGpkwrp8CYnvVVUMxRIFesAqeN0v%2F52T9NpQo3VTnMtyc32LidZfcubhKWQtBmH%2Bad5yhawqJc1a1iatstmOa%2BX0CyAk%2BgBLAqtcuJpSLRF7GGr0DHl%2FCiZJZMkmyS31WxOs4xms98k%2BqIth0FnTlomEcJnJUMUT%2FA2Kc%2BCPgvVCPU4rr5%2BASH9WlXlpPyxr0i0RgTrvLKNVth3YPdgnwSHX7v7nBycMzSOgzFpgmbKaiGFez5CPe0xRtPUj%2F45NQdDiptVgNHhMnvh6Lgk9rqeFKPLVvEF%2B3mXod893%2Fau1FLw52tSDB53zI2jw0Q0k3aAUhNyRAfKkWhfBgE%2FeyZFK8B%2B4Jf3Wkp93FhgzgfobA%2FBtfj%2FU97uOxcUmqEGPiEHJ3fNnRvdGWYFhgLCiXFHipe4Lok30qexg%2Faa8EZhnPJA7cehvkdtm1Bb4P6wyjKFRlt3Dvg9PcWrR%2B%2Fa8c%2FCy3%2B6%2BAs%3D |
The deflated/encoded AuthnRequest is then sent via https to the identity provider along with the Relay State (the URL on my service provider that will handle the response):
1 | https://idp.ssocircle.com:443/sso/SSORedirect/metaAlias/ssocircle?SAMLRequest=nVPRbpswFH3vVyC%2FJxBClM4KSFmqaZG6jSWsD3sz5tJYMrbna5r072fTtIu0ikp54eFyOPfccw4rZJ00dN27g9rBnx7QRdGpkwrp8CYnvVVUMxRIFesAqeN0v%2F52T9NpQo3VTnMtyc32LidZfcubhKWQtBmH%2Bad5yhawqJc1a1iatstmOa%2BX0CyAk%2BgBLAqtcuJpSLRF7GGr0DHl%2FCiZJZMkmyS31WxOs4xms98k%2BqIth0FnTlomEcJnJUMUT%2FA2Kc%2BCPgvVCPU4rr5%2BASH9WlXlpPyxr0i0RgTrvLKNVth3YPdgnwSHX7v7nBycMzSOgzFpgmbKaiGFez5CPe0xRtPUj%2F45NQdDiptVgNHhMnvh6Lgk9rqeFKPLVvEF%2B3mXod893%2Fau1FLw52tSDB53zI2jw0Q0k3aAUhNyRAfKkWhfBgE%2FeyZFK8B%2B4Jf3Wkp93FhgzgfobA%2FBtfj%2FU97uOxcUmqEGPiEHJ3fNnRvdGWYFhgLCiXFHipe4Lok30qexg%2Faa8EZhnPJA7cehvkdtm1Bb4P6wyjKFRlt3Dvg9PcWrR%2B%2Fa8c%2FCy3%2B6%2BAs%3D&RelayState=http%3A%2F%2Fsaml20sp.abilityweb.us%2Fspdbg%2Fhome.php |
The Identify provider processes this request and handles the authentication. Upon successful authentication, it sends back a base64 encoded response:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 | PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6 cHJvdG9jb2wiIElEPSJzMmY5ODM3OWIwODNmODMxN2Y2MTQzOGNkM2JkMjZmNTk2MmE0MjUyNzMi IEluUmVzcG9uc2VUbz0iNGI4Y2QwYTJlMGY0Y2UzOTMyYTVlNWI3YmFkYTIyZjdkNzNiN2VkNWVj IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxMC0wNC0wOFQxMzo0NDo1NVoiIERlc3Rp bmF0aW9uPSJodHRwOi8vc2FtbDIwc3AuYWJpbGl0eXdlYi51cy9zcGRiZy9zcC5waHAiPjxzYW1s Oklzc3VlciB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9u Ij5odHRwOi8vaWRwLnNzb2NpcmNsZS5jb208L3NhbWw6SXNzdWVyPjxzYW1scDpTdGF0dXMgeG1s bnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI+CjxzYW1scDpT dGF0dXNDb2RlICB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3Rv Y29sIgpWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIj4K PC9zYW1scDpTdGF0dXNDb2RlPgo8L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24geG1sbnM6 c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InMyZWQwMmVk NDM3NDIyNGMxZTI2ODRiYTFkOGJlY2EwYjAwZTE5NzA4OCIgSXNzdWVJbnN0YW50PSIyMDEwLTA0 LTA4VDEzOjQ0OjU1WiIgVmVyc2lvbj0iMi4wIj4KPHNhbWw6SXNzdWVyPmh0dHA6Ly9pZHAuc3Nv Y2lyY2xlLmNvbTwvc2FtbDpJc3N1ZXI+PFNpZ25hdHVyZSB4bWxucz0iaHR0cDovL3d3dy53My5v cmcvMjAwMC8wOS94bWxkc2lnIyI+CjxTaWduZWRJbmZvPgo8Q2Fub25pY2FsaXphdGlvbk1ldGhv ZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgo8 U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxk c2lnI3JzYS1zaGExIi8+CjxSZWZlcmVuY2UgVVJJPSIjczJlZDAyZWQ0Mzc0MjI0YzFlMjY4NGJh MWQ4YmVjYTBiMDBlMTk3MDg4Ij4KPFRyYW5zZm9ybXM+CjxUcmFuc2Zvcm0gQWxnb3JpdGhtPSJo dHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPgo8 VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMx NG4jIi8+CjwvVHJhbnNmb3Jtcz4KPERpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cu dzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+CjxEaWdlc3RWYWx1ZT5GVjZOSEZ1RGJhcUN3 S0xUWS9jS2xKbzI1a3c9PC9EaWdlc3RWYWx1ZT4KPC9SZWZlcmVuY2U+CjwvU2lnbmVkSW5mbz4K PFNpZ25hdHVyZVZhbHVlPgpoS005ZnZkNDQ5UzM5ekNzeElRTU9KOGZQMDZ3OWtQN2tpa2xqdk1w RzVKd1BObUp5OUZweWJVM3k4NFd5VlkzMHVSVGRZaGVhUnA1CmdhQ3JLZHdjTGFiVjI1TjIzZzM5 ZkZIc2FsdHlyU1k1VUJ3NE5jRm5rZHFndmZPaEJxT2NVcG9VY21jYXhrNUNuMktKanVNei9qWnAK OXFYR1RnS3NqTmo1YlZsc2FTYz0KPC9TaWduYXR1cmVWYWx1ZT4KPEtleUluZm8+CjxYNTA5RGF0 YT4KPFg1MDlDZXJ0aWZpY2F0ZT4KTUlJQjhUQ0NBVnFnQXdJQkFnSUZBSXh3Wm5Jd0RRWUpLb1pJ aHZjTkFRRUVCUUF3TGpFTE1Ba0dBMVVFQmhNQ1JFVXhFakFRQmdOVgpCQW9UQ1ZOVFQwTnBjbU5z WlRFTE1Ba0dBMVVFQXhNQ1EwRXdIaGNOTURrd01qSXlNVFV3TkRJMFdoY05NVEV3TlRJeU1UVXdO REkwCldqQkxNUXN3Q1FZRFZRUUdFd0pFUlRFU01CQUdBMVVFQ2hNSlUxTlBRMmx5WTJ4bE1Rd3dD Z1lEVlFRTEV3TnBaSEF4R2pBWUJnTlYKQkFNVEVXbGtjQzV6YzI5amFYSmpiR1V1WTI5dE1JR2ZN QTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRQ2J6RFJrdWRDLwphQzJnTXFSVlZhTGRQ SkpFd3BGQjRvNzFmUjVibk5kMm9jbm5OekovVzlDb0Nhcmd6S3grRUo0Tm0zdldtWC9JWlJDRnZy dnk5Qzc4CmZQMWNtdDZTYTA5MUs5bHVhTUF5V243b0M4aC9ZQlhIN3JCNDJ0ZHZXTFk0S2w5Vkp5 NlVDY2x2YXN5cmZLeCtTUjRLVTZ6Q3NNNjIKMkt2cDV3VzY3UUlEQVFBQk1BMEdDU3FHU0liM0RR RUJCQVVBQTRHQkFHeWF5ZGZKSERrbTc3QzM5Z3E5YkJiN09xSzhPWEVVVGJJTQpwOFBESlp6SWY5 UWtwa0U3Z0hHY1djdFJLaTdmTmRPTnVsYzVrbjJLMm5idkNHcmJXc1dRdnIvREEwYmprQnJLOE9l V3BSaExlN2ZsCitKVWdzRXJNY0RJelJUbWpOcFp6VVpwK1dFU1JIVjFqM1NJY2ZZNHRKTTJ1TXQ0 U2MvYWZWbmw1UDZ3TAo8L1g1MDlDZXJ0aWZpY2F0ZT4KPC9YNTA5RGF0YT4KPC9LZXlJbmZvPgo8 L1NpZ25hdHVyZT48c2FtbDpTdWJqZWN0Pgo8c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6 bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDpwZXJzaXN0ZW50IiBOYW1lUXVhbGlmaWVy PSJodHRwOi8vaWRwLnNzb2NpcmNsZS5jb20iIFNQTmFtZVF1YWxpZmllcj0iaHR0cDovL3NhbWwy MHNwLmFiaWxpdHl3ZWIudXMiPlhZYTdpekdxdDcwUlJ1UlRzVytUbjZ5TXNtdU48L3NhbWw6TmFt ZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6 U0FNTDoyLjA6Y206YmVhcmVyIj4KPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgSW5SZXNw b25zZVRvPSI0YjhjZDBhMmUwZjRjZTM5MzJhNWU1YjdiYWRhMjJmN2Q3M2I3ZWQ1ZWMiIE5vdE9u T3JBZnRlcj0iMjAxMC0wNC0wOFQxMzo1NDo1NVoiIFJlY2lwaWVudD0iaHR0cDovL3NhbWwyMHNw LmFiaWxpdHl3ZWIudXMvc3BkYmcvc3AucGhwIi8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+ Cjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDEwLTA0LTA4VDEz OjM0OjU1WiIgTm90T25PckFmdGVyPSIyMDEwLTA0LTA4VDEzOjU0OjU1WiI+CjxzYW1sOkF1ZGll bmNlUmVzdHJpY3Rpb24+CjxzYW1sOkF1ZGllbmNlPmh0dHA6Ly9zYW1sMjBzcC5hYmlsaXR5d2Vi LnVzPC9zYW1sOkF1ZGllbmNlPgo8L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4KPC9zYW1sOkNv bmRpdGlvbnM+CjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxMC0wNC0wOFQx Mzo0NDo1NFoiIFNlc3Npb25JbmRleD0iczJhOWZiN2FkNjIzYzZhYTJmYjVkNjU3ZjE1YTgwNTVh OGJiZTRlMDA0Ij48c2FtbDpBdXRobkNvbnRleHQ+PHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+ dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRU cmFuc3BvcnQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sOkF1dGhuQ29udGV4dD48 L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg== |
The string is decoded by the service provider into the following:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 | <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s2f98379b083f8317f61438cd3bd26f5962a425273" InResponseTo="4b8cd0a2e0f4ce3932a5e5b7bada22f7d73b7ed5ec" Version="2.0" IssueInstant="2010-04-08T13:44:55Z" Destination="http://saml20sp.abilityweb.us/spdbg/sp.php"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://idp.ssocircle.com </saml:Issuer> <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success"> </samlp:StatusCode> </samlp:Status> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="s2ed02ed4374224c1e2684ba1d8beca0b00e197088" IssueInstant="2010-04-08T13:44:55Z" Version="2.0"> <saml:Issuer>http://idp.ssocircle.com</saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#s2ed02ed4374224c1e2684ba1d8beca0b00e197088"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>FV6NHFuDbaqCwKLTY/cKlJo25kw=</DigestValue> </Reference> </SignedInfo> <SignatureValue> hKM9fvd449S39zCsxIQMOJ8fP06w9kP7kikljvMpG5JwPNmJy9FpybU3y84WyVY30uRTdYheaRp5 gaCrKdwcLabV25N23g39fFHsaltyrSY5UBw4NcFnkdqgvfOhBqOcUpoUcmcaxk5Cn2KJjuMz/jZp 9qXGTgKsjNj5bVlsaSc= </SignatureValue> <KeyInfo> <X509Data> <X509Certificate> MIIB8TCCAVqgAwIBAgIFAIxwZnIwDQYJKoZIhvcNAQEEBQAwLjELMAkGA1UEBhMCREUxEjAQBgNV BAoTCVNTT0NpcmNsZTELMAkGA1UEAxMCQ0EwHhcNMDkwMjIyMTUwNDI0WhcNMTEwNTIyMTUwNDI0 WjBLMQswCQYDVQQGEwJERTESMBAGA1UEChMJU1NPQ2lyY2xlMQwwCgYDVQQLEwNpZHAxGjAYBgNV BAMTEWlkcC5zc29jaXJjbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbzDRkudC/ aC2gMqRVVaLdPJJEwpFB4o71fR5bnNd2ocnnNzJ/W9CoCargzKx+EJ4Nm3vWmX/IZRCFvrvy9C78 fP1cmt6Sa091K9luaMAyWn7oC8h/YBXH7rB42tdvWLY4Kl9VJy6UCclvasyrfKx+SR4KU6zCsM62 2Kvp5wW67QIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAGyaydfJHDkm77C39gq9bBb7OqK8OXEUTbIM p8PDJZzIf9QkpkE7gHGcWctRKi7fNdONulc5kn2K2nbvCGrbWsWQvr/DA0bjkBrK8OeWpRhLe7fl +JUgsErMcDIzRTmjNpZzUZp+WESRHV1j3SIcfY4tJM2uMt4Sc/afVnl5P6wL </X509Certificate> </X509Data> </KeyInfo> </Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="http://idp.ssocircle.com" SPNameQualifier="http://saml20sp.abilityweb.us">XYa7izGqt70RRuRTsW+Tn6yMsmuN </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData InResponseTo="4b8cd0a2e0f4ce3932a5e5b7bada22f7d73b7ed5ec" NotOnOrAfter="2010-04-08T13:54:55Z" Recipient="http://saml20sp.abilityweb.us/spdbg/sp.php" /> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2010-04-08T13:34:55Z" NotOnOrAfter="2010-04-08T13:54:55Z"> <saml:AudienceRestriction> <saml:Audience>http://saml20sp.abilityweb.us</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2010-04-08T13:44:54Z" SessionIndex="s2a9fb7ad623c6aa2fb5d657f15a8055a8bbe4e004"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> </samlp:Response> |
When the user wants to logout, I generate the following:
1 2 3 4 5 6 7 8 9 10 11 | <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="aaad4e0f4e4f50a3ac594217d95af479f274183578" Version="2.0" IssueInstant="2010-04-08T13:45:04Z"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://saml20sp.abilityweb.us </saml:Issuer> <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" NameQualifier="http://idp.ssocircle.com" SPNameQualifier="http://saml20sp.abilityweb.us" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">XYa7izGqt70RRuRTsW+Tn6yMsmuN</saml:NameID> <samlp:SessionIndex xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">s2a9fb7ad623c6aa2fb5d657f15a8055a8bbe4e004 </samlp:SessionIndex> </samlp:LogoutRequest> |
That request is first DEFLATED, then Base64 encoded, and then URL Encoded to be:
1 | nZJfa8IwFMW%2FSsnrsKY1sTZoYSAbgsqmsn9vt22yBdqk9qbM7dOvVQcK4oMveTi55%2F5Obu4YoSwqMbeftnEruW0kOm9XFgbF%2FmZCmtoIC6hRGCglCpeJ9f1iLkKfiqq2zma2IN5sOiEAkDNJFZNMcQoDyHjMwiDKYw6KRbEKIxaMBjwaEe9F1qitmZC2TetGbOTMoAPjWokGtEdZj442wUAwLij7IIk37gKJfWl9EvF6QkCUtWtJJPlyrhL9fucJKVY%2BpLrQ7udbpn6D4%2F5J9%2BSAWrbdZtMbUF7nfG6g0ErLekKOZJ1XPqLNdJ0V0s9sSbz10%2BXSyyGJ92DrEtz1HJ2i857al4qqGzQ6aRxJ3t4h0r%2BPWxfR1apZbfD1bmOGPwssm%2BVxAIc3HwZQibXE7pdmJpe7G7YiwRBilUaQD8NBNgQIVcrzIY9UwGFEeXukqWxXhrID%2FpyY%2FItn25n8AQ%3D%3D |
Which is then sent over https via:
1 | https://idp.ssocircle.com:443/sso/IDPSloRedirect/metaAlias/ssocircle?SAMLRequest=nZJfa8IwFMW%2FSsnrsKY1sTZoYSAbgsqmsn9vt22yBdqk9qbM7dOvVQcK4oMveTi55%2F5Obu4YoSwqMbeftnEruW0kOm9XFgbF%2FmZCmtoIC6hRGCglCpeJ9f1iLkKfiqq2zma2IN5sOiEAkDNJFZNMcQoDyHjMwiDKYw6KRbEKIxaMBjwaEe9F1qitmZC2TetGbOTMoAPjWokGtEdZj442wUAwLij7IIk37gKJfWl9EvF6QkCUtWtJJPlyrhL9fucJKVY%2BpLrQ7udbpn6D4%2F5J9%2BSAWrbdZtMbUF7nfG6g0ErLekKOZJ1XPqLNdJ0V0s9sSbz10%2BXSyyGJ92DrEtz1HJ2i857al4qqGzQ6aRxJ3t4h0r%2BPWxfR1apZbfD1bmOGPwssm%2BVxAIc3HwZQibXE7pdmJpe7G7YiwRBilUaQD8NBNgQIVcrzIY9UwGFEeXukqWxXhrID%2FpyY%2FItn25n8AQ%3D%3D&RelayState=http%3A%2F%2Fsaml20sp.abilityweb.us%2Fspdbg%2Fhome.php |
Where the Identity Provider processed the logout and returned us to our RelayState url.